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Bitcoin uses elliptic curve cryptography for its keys and signatures, but the 
specific secp256k1 curve used is rather unusual. The ECDSA keys used to 
generate Bitcoin addresses and sign transactions are derived from some 
specific parameters. Due to this characteristic, several questions come up 
concerning Satoshi’s choice of this curve rather than that of the NIST 


standard secp256rl curve. Former President Dan Brown’s address to Bitcoin 





users on the Bitcoin talk.org online forum concerning the use of secp256k1 
Keywords: in Bitcoin of SECG showed his surprise to see someone uses SECG 
secp256k1 instead of secp256r1 of NIST. In this article, we will analyze the 





Bitcoin random secp256rl curve and the Koblitz Secp256k1 curve (parameters, 

ECC equation, automorphism...), by giving the strengths and weaknesses of each 

Mining one of them, in order to justify the choice of Bitcoin’s creator, and then we 

Secp256k1 will tackle the mining using the new graphic cards. 

Secp256r1 ; . ; ; . 
Copyright © 2019 Institute of Advanced Engineering and Science. 

All rights reserved. 
Corresponding Author: 


Azine Houria, 

Institute of Aeronautics and Space Studies. 
Laboratory of Aeronautical Sciences. 
Blidal University Algeria , Algeria 

Email: azinehou @ yahoo. fr 








1. INTRODUCTIO 

Elliptical Curve Cryptography (ECC) introduced by Neal Koblitz and Victor Miller allows the 
achievement of asymmetric cryptography and faster signature than in RSA for a similar level of 
security [1], [2]. In addition, compared to RSA, ECC allows the computation of pairings that currently allows 
building of new cryptographic protocols, which can be an advantage for some applications. 

Two organisms are known to patent most of the elliptic curve algorithmic properties, namely 
NIST [3] and Certicom [4].They both propose the use of Weierstrass-based curves that utilize a, b and p 
parameters.The tuning choices of these parameters remain in many studies a complete secret. 

namely the NIST [3] and Certicom [4]. They both propose to use Weierstrass-based curves that use 
the Secp256rl and secp256k1 Curves are two examples of two elliptic curves used in various cryptographic 
protocols such as TLS, SSH, ECDSA, ECDHE, ECDH and ECDLP. 

In fact the calculations on the elliptic curves, are governed by some special mathematical group law 
operations (addition of points in a Finite field) particularly greedy in terms of modular operations of addition, 
multiplication and inversion. The cost of the operations depends on the elliptic scalar multiplication 
operation. The implementation of elliptic curve ciphers requires a fine architectural study and design, in order 
to find the best compromise between complexity and speed computation. 

The two major properties for the data communication are Confidentiality and Secrecy. Therefore, 
the security of the curves relies on several mathematical criteria, which are currently mainly shared by the 
cryptography community. The main tension, around the selection of the curves to be normalized, is running 
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on the evaluation of the advantages and disadvantages of each curve (the equation, choice of curve 
parameters, performance and resistance to attacks by auxiliary channels, simplicity of implementation, 
efficiency, rigidity, back doors and safety). 


2. CURVES SECP256R1/NIST P-256 OVER THE FINITE FIELDS 

The most used elliptic curves are those proposed by the NIST on (p) introduced in FIPS [5]. They 
use special numbers. The curve parameters must be carefully chosen to avoid using a weak curve, and that 
can withstand all known attacks. There may also be other constraints for security or implementation reasons. 
Following SEC 2 [6], the domain parameters of the elliptic on Fp are a six-fold T = (p, a, b, G, n, h). Domain 
parameters as shown in Table 1. 


Table 1. Domain Parameters 
P The order of the prime field Fp 
Seed The seed selected to randomly generate, the coefficients of the elliptic curve. The 160-bit SEED 
input seed to the SHA-1 based on algorithm (the seed parameter domain) 








r The output of SHA-1 

a,b The coefficients of the elliptic curve y2 = x3+ax +b satisfying r b2 = a3 (mod p). 
n the (prime) order of the base point P. 

h The cofacteur 

XY The x and y coordinates of P. 





2.1. Mathematical approach 
2.1.1 The prime number p 

The p of the P-256 curve is a prime number of generalized Mersien. It is recommended to work on a 
field whose size is 256 bits. This prime number has the property that it can be written as the sum or 
difference of asmall number of powers of 2: 

The powers appearing in this expression are all multiples of 32. These properties give reduction 
algorithms that are particularly rapid on machines with wordize of 32 [7]. This optimization is particularly 
efficient on CPU.Let t = 232 then (1) becomes: 


p256 = 276-2 274 4 2192 4 996_] (1) 
We can then reduce the powers higher than 2 by using the congruence for (2) so the congruence relation is: 

P=tt7+t%+t-l (2) 

t*=t? +t (mod p), 2° = 2!78 +2 (mod p) (3) 
This P-256 prime number is chosen for efficiency (modular multiplication can be performed more efficiently 


than in general).Algorithm 2.1 shows the fast reduction by p256. Rapid reduction modulo p256 as shown in 
Figure 1. 





Algorithm [7] :Rapid reduction modulo pos6 = 27° —2774 +219? +2°° —1 
INPUT: An integer c = (C15,..., C2, C1, Co) in base 2°? with 0 < c < p? 26. 
OUTPUT: c mod pase. 
1. Define 256-bit integers: 
S1 = (C7, C6, C5, C4, C3, C2, C1, CO), 
$2 = (C15, C14, C13, C12, €11,0,0,0), 
$3 = (0, C15, C14, C13, €12,0,0,0), 
s4 = (c15, €14,0,0,0, c10, co, Cs), 
$5 = (C8, C13, C15, C14, C13, C11, C10, C9), 
s6 = (c10, €8,0,0,0, C13, C12, C11), 
s7 = (c11, c9,0,0, cis, C14, C13, C12), 
$s = (€12,0, C10, C9, C8, C15, C14, C13), 
So = (c13,0, C11, C10, C9,0, C15, C14). 
2. 2. Return (sl +2s2 +2s3 +s4 +s5 —s6 —s7 —s8 —s9 mod p256) 














Figure 1. Rapid reduction modulo p256 
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2.1.2 Elliptic curve Equation 
The elliptic curve is isomorphic to a curve with a reduced Weierstrass equation of the form ((p)): 


y=xita-x+bmod p if p#2. (4) 
a) The Discriminant and J-invariant 
A = 4a? + 27b and j (E) = (- 48a)°/A [8] (5) 


1) if A=0 then equation (4) is not an elliptic curve, it is a singular cubic. 

2) IfA<0O then the graph of the elliptic curve has only one component. The cubic polynomial x? + ax + b 
has a single root that corresponds to the abscissa of the intersection point of the curve with the abscissa 
axis. 

3) If A> 0 then the graph of the elliptic curve has two components. The cubic polynomial 

x3+ax+b has 3 roots, which correspond to the abscissa of the three points of intersection of the curve with the 

abscissa axis. J-invariant # 0 and K is a field of characteristic # 2, 3 then the order of the automorphism is 

equal to 2. 


b) Complexity 

In general, the group of points of an elliptical curve behaves like a "Generic group", the discrete 
logarithm has an exponential complexity [9]. The group of regular points is then isomorphic to an additive or 
multiplicative group, and the discrete logarithm is sub-exponential, even polynomial. It is imperative that A # 
0 (what happens with P ~ 1). More precisely, the complexity of a discrete logarithm is dominated by Vq, 
where q is the utmost prime divisor of the number of points of the curve so to increase the complexity it is 
necessary to have a number of points (almost) first. There are generic attacks of complexity O (vq), where q 
is the utmost prime divisor of N. A safe curve must therefore have q ~ N; ideally, q =N. 

The probability that a random curve has a primary order is approximately the same as a random 
number of the size of p is prime, P ~ I/log p [9]. Complexity of generic attacks as shown in Table 2 and 
Figure 2. 


Table 2. Complexity of Generic Attacks 








Method Fastest known attack the fastest known attack 
RSA Number Field Sieve exp(1/2(logN) 1/3(loglogN)2/3) 
ECC Pollard-rho V r= exp(1/2 log r) 








Algorithm 2 Point Doubling (y” = x?—3x +b, Jacobian coordinates) 


INPUT: P = (X1 : Y1 : Z1) in Jacobian coordinates on E/K : y” = x3 —3x +b. 
OUTPUT: 2P = (X3 : Y3 : Z3) in Jacobian coordinates. 

1. If P = then return (00). 

2. TZ? .{T;<Z*, } 

3. Tx X — Ty. {Tox X1 — 271 } 

4.T}— X, + Ty. {Ti X + 2, } 

3; T.<T, ® Ti. {T2x— x? _ ZA} 
6 
7 
8 
9 








5 To 3T>. {Tr A= 3(X1 Z\(X1 + Z1)} 
. ¥3-2Y). {Y3— B=2Y1} 
. Z3—Y3 + Z. {Z3<— B Z1} 
. Y3<-Y’; {Y3—C = B’} 
10. T3;~Y3 * X1.{T3— D= Cc Xi} 
11. Y3<Y?3 . {Y3<C?} 
12. Y3-Y3/2. {Y3<-C?/2} 
13. X3<T?. {X3<— A’} 
15. X3¢ X3 Ti. {X3« A 2D} 
16. T\<-T; r% X3. {Ty D- X3} 
17. T,<T, - Ts. {T;— (D — X3)A} 
18. Y3< Ti Y3. {Y3< (D X3)A C?/2} 
19. Return(X3 : Y3 : Zs). 














Figure 2. Point doubling 
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c) Selection of the parameter a = -3 

Most standards see the IEEE 1363-2000 standard [10], choose a = -3 because practically all curves 
have low order isogenies and this for reasons of efficiency so this choice does not affect safety. Choosing 
small values for a and b parameters makes it possible to accelerate the arithmetic of the curve. Similarly, 
Brainpool [11] uses this equation for its advantages. This choice saves 2 of the 10 multiplications required for 
adding points. A random curve on Fp is isomorphic with a curve a = -3 with probability: P = 1/4 if p=+1 
(mod 4) and P = 1/2 if p = -1 (mod 4). And finally “a” the selection = -3 for the coefficient in the elliptic 
curve equation has been made so that the points of the elliptic curve represented in the jacobian projective 
coordinates could be added using a field multiplication of less. The Figure 2 describes the Point Doubling . 

The order of the elliptic curves used in cryptography must respect some constraints in order to avoid 
known attacks. For example, this order must be a prime number of large size or the Product of a prime 
number and a small integer or cofactor, which is | in the case of a prime order curve. 


d) Cofactor 
NIST takes the cofactor as small as possible for efficiency reasons: 


card (E(F)) 
n 


A= (6) 
With h the cofactor = the order of the elliptic curve/n; with n order of the point which is the smallest integer 
such that (n.G) = 0 (0: element identity of the finite group) and G must be chosen so that n is a large integer. 

So some standards cryptographic, such as FIPS-186-4 [5], advocate the use of curves with a "small" 
cofactor h. In practice, the constraints may differ from one standard to another. 

For example, the first version of SEC1 (2000) imposed a cofactor h < 4 whereas the first version of 
2009 recommends rather h < 20 and @ for a higher level of security. 

The choice of the cofactor value depends therefore on its value because: 

si h<1 For effciency reasons 

fe h > Improve performances 

Citing as examples the Montgomery curves used by Apple which have a cofactor h > 4 and that to 
improve the performance of the curve. The Table 3 summarizes the forms of elliptic curves on Fp usable 
according to the cofactor. 


Table 3. Forms of Elliptic Curves on Fp Usable According to the Cofactor [11] 








Cofactor h Form 

1 Weierstrass 

2 Extended Jacobi Quartic form 

3 Generalized Hessien 

4 Jacobi Quartic form or Edwards form 





e) Parameter b 
For the parameter b of the P-256 curve, the following formula is used to generate it: 


i= ( 27 ) (7) 


~~ SHA1(s) 





With:s=c49d360886e704936a6678e 1 139d26b78 1 9f7e90 [12]. 

This procedure generates random data by feeding the seed into SH1 [13]. Verifiable random 
parameters offer additional conservative characteristics [1]. These parameters are selected from a seed using 
SHA-1 as specified in ANSI X9.62 [14]. This process ensures that the parameters cannot be redetermined. It 
is so extremely improbablethat the parameters will be susceptible to future special-purpose attacks and no 
traps could be placed in the parameters during their generation. 


2.2. Algebric approach 

a) Group law: for E/K: y? = x? + ax + b, char (K) # 2,3 

b) Identity: P +oo = 004+ P= P for all P € E (K). 

c) Negative: If P = (x, y) € E (K), then (x, y) + (x, -y) = 00. The point (x, -y) is denoted by-P and is called 
the negative of P; note that -P is indeed a point in E (K). Also,-co = +00 

d) Addition: Let P = (x1, yl) € E (K) and Q = (x2, y2) € E (K), where P=+Q. 
Then P + Q = (x3, y3), where: 
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x3 = (2y’ —2x1—x2and y3 = (2) = (x1—2x3)-y1 (8) 


X2—-X1 x2-—xX1 


e) Point Doubling Let P = (x1, yl) € E (K), where P =-P. 
Then 2P = (x3, y3), where: 


3x2 +a 
2y1 





= 


) —2x1 and y3 =( — 


ea (x1 —x2)-yl (9) 


The cofactor is always h = 1. 
2.3. Selection of the parameters of the curve 
The selection of the curve is conditioned by the following parameters. The p and n integersare given 


in decimal form; bit strings and field elements are given in hexadecimal. 


y2=x3-3x + 41058363725 152142129326129780047268409 1 1444 10159937255548352563 14039467401291 


Table 4. NIST-Recommended Random Elliptic Curves Over Prime Fields [6] 








Parameters Value 
p 24 256-2 * 2244+2%192+2% 96-1 

ffffEFFFOOD0000 1 COOODDDDDDDDDODDDOOOOOOOOFFFFFFFFFFFFFFFFFFFF EFF 
b 5ac635d8 aa3a93e7 b3ebbd55 769886bc 651d06b0 cc53b0f6 3bce3c3e 27d2604b 
n ffffffff OOOOOOOO FFFFFFTFFFFTFTff bce6faad a7179e84 f3b9cac2fc63255 1 
Seed c49d3608 86e70493 6a6678el 139d26b7 819f7e90 
c Tefbal66 2985be94 03cb055c 75d4f7e0 ce8d84a9 c5114abe af317768 0104fa0d 
Gx 6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 £4a13945 d898c296 
Gy 4fe342e2 fela7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf5 1f5 





3. CURVES OF KOBLITZ SECP256K1 

Secp256k1 refers to ECDSA parameters of the curve used in Bitcoin and is defined in Standards for 
Efficiency Cryptography (SEC) [6]. Secp256k1 has almost never been used before Bitcoin became popular, 
but it is gaining popularity due to its many properties. This has been generated by Certicom (a Canadian 
company) and not by the NIST like the Secp256r1 curve. 


3.1. Mathematical Approach 
3.1.1 The prime number p 

The Weierstrass coefficients defining (a, b) of the curve are (0, 7). SEC2 [6] states in Section 2.1 
that the recommended parameters associated with a Koblitz curve have been selected by repeatedly selecting 
parameters that admit an effectively calculable endomorphism until a first order curve has been found. 

The size of the field defining p seems to be a 256-bit boot of the special form : 


p=2%256-s where s is small with the form s = 2 “ 32 + t, where t <210 , and t = 29+ 28+ 27+ 26+ 24+ 1. 
So P is the seed number used in secp256k1, Bitcoin uses it as the high limit for valid private keys. If 
a private key is randomly generated larger than n, it is rejected and a new key is regenerated. The probability 


of such occurrence is low because P is "almost" as large as 2256-1 (256 bits all set to 1). Algorithm of the 
random generator of private key as shown in Figure 3. 


Random private key generator 





Figure 3. Algorithm of the random generator of private key 
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3.1.2 Elliptic curve equation 

It has a first order of 256 bits. Interestingly, this choice deviates from those made in FIPS 186-4 in 
that the coefficients of the curve are a =0 and b=7. 

The elliptic curve is isomorphic to a curve with a reduced Weierstrass equation of the form ((p)): 


y=x3+bmod pif #2.3 (10) 


As a constant is zero, the term ax of the equation of the curve is always zero, hence the equation of the curve 
becomes y” = x? +7. 


a) The Discriminant and J-invariant 
A = 4a} + 27b*¢ 0 and j(E) = (-48a)?/ A = 0 because a = 0 


This means that secp256k1 has j-invariant 0 so this curve is said to be super-singular and therefore 
has a very special structure and calculable endomorphism that can be used to accelerate implementations, for 
example by using the GLV decomposition for scalar multiplication [15]. This idea was introduced by 
Gallant, Lambert and Vanstone (GLV).Elliptic curves having efficiently-computableendomorphisms should 
be regarded as “special” elliptic curves. Using “special” instances of cryptographic schemes is sometimes 
done for efficiency reasons [15]. 


b) Complexity 

This could lead to a more serious attack on secp256k1 because an attacker could get scalar multiples 
with one-point scalars on any curve on Fp with coefficient a = 0, that is, on the one of the twists of 
secp256k1. 


3.2. Algebraic Approach 
3.2.1 Automorphism 

Elliptic curves with effectively calculable endomorphismsare considered as "special" elliptic curves, 
with a small coefficient. But efficient endomorphisms accelerate scalar multiplication, but also Pollard's rho 
algorithm] for calculating logarithms discreet. For this special class of curves, the acceleration can reach up 
to 50% compared to the best general methods of point multiplication [16]. If J-invariant = 0 and K is a field 
of characteristic # 2, 3 then the order of the automorphism is equal to 6. 


3.2.2 Fast Scalar Multiplication 'GLV decomposition" 

There are two methods for accelerating the computation of the scalar multiplication Q = kP on 
elliptic curves having a non-trivial character effectively calculable endomorphism that are: 

a) The Solinas method [15]: This method could only be applied for an elliptic curve defined on binary 
fields, the endomorphism considered to be theFrobenius. 

b) The Gallant-Lambert-Vanstone (GLV) method [15]: its method of elliptic curves defined is applied on 
primary fields Fp, the decomposition is the basis of the computation acceleration. 

Another consequence of the larger automorphism group is the existence of six twists (including the 
curve itself and the standard quadratic twist). The automorphism group of E has the order 6 and is generated 
by the map y. The curve secp256k1: =1 (mod6), there exists a 6th primitive root of the unit €Fp, CEFp, and a 
corresponding automorphism of curve such that C6 = 1 [15]. 


W: — E, (x, y) > (Gx, -y) (11) 


Fast scalar multiplication yP = AP for an integer 46=1 (mod n). The main advantage of these curves 
is that dot multiplication algorithms can be designed that does not use dot dubbing. 


3.2.3 Selection of parameters of the special Koblitz curve 

The elliptic curve parameters of the domain on Fp associated with a Koblitz curve Secp256k1 are 
defined by the sixfold T = (p, a, b, G, n, h) where the finite field Fp. Parameter of Secp256klas shown in 
Table 5 [6]. 

The curve of Secp256k1 is in the form: E: y2 = x3 + 7 mod p on Fp 





A comparison between the secp256rland the koblitz secp256k1 bitcoin curves... (Azine Houria) 


916 Oo ISSN: 2502-4752 


Table 5. Parameter of Secp256k1[6] 








Parameters Value 

p 24 256-2 * 32 -2%9 -2% 8-2%7-2%6-2%4-1 
FEPEPEPELEP ELE EL EL EEL EL ELL EE EL EEE EL EE EEE EEE EEE fe 

a 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 

b 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000007 

G 04 79be667e f9dcbbac 55a06295 ce870b07 O29bfcdb 2dce28d9 59f2815b 16f81798 483ada77 
26a3c465 5da4fbfc 0e1108a8 fd17b448 26855419 9c47d08f fb10d4b8 

n fEPfEFFEFELEFFFLFFFELFT ff ffffffe baaedce6 af48a03b bfd25e8c d0364141 

h 1 





The parameters a, b and p must correctlybe chosen in order to resist the mathematical attacks. 


4. COMPARISON OF SECP256R1 AND SECP256K1 CURVES 

After studying the two curves, we mention the main differences in Table 5. The SafeCurves 
website [17] presents security assessments of various. The comparison between secp256rl1 and secp256k1 as 
shown in Table 6. 


Table 6. The comparison between secp256rl and secp256k1 








curve Secp256r1 Secp256k1 
sata mnsec256r1 mnsec256k1 
2 |—————_ = 127.83 2 |—————_ = 127.03 
4 2 
Automorphism Order 2 6 
Parameters “a” 3 are claims of effectiveness, a= 0 the term ax of the equation of the 
not safety claims curve is always zero 
Cost for a combine attak[17] 21203 2* 109,5 





Koblitz curves are generally known to be a few bits weaker than first-order field curves, but when it 
comes to 256-bit curves, it has little impact. Bitcoin works with a fixed curve and generates only private and 
public keys, according to Safecurves [17] the elliptic curve secp256k1 can be considered somewhat "rigid" 
which means that almost all parameters are transparent to the public and can therefore be supposed not 
generated to be weak. The rho method breaks the ECDLP using on average additions of about 0.886 VI so the 
safety is comparable for both curves. 

The cost for a combined attack is almost the same for both curves. Certainly the Secp256k1 curve 
has comparable security as the curve but it has additional twists [16], which lead to more possibilities for an 
attack. On the other hand, an elliptic curve with j-invariant different from 0 and 1728 as the case of the 
curve secp256rl only has a group automorphism of order 2, so that the acceleration of the Pollard rho 
algorithm [16] is a constant factor up to V3 on such a curve. 

Secp256k1 is often more than 30% faster than the other curves if the implementation 1s sufficiently 
optimized and the criterion of speed is a very important criterion for the Bitcoins because a payment with 
Bitcoin is almost instantaneous. However, secp256rl uses the very suspicious seed "c49d360886e704936a6 
678e1139d26b7819f7e90" which is strangely similar to the backdoor in Dual_EC_DRBG [18]. 

The elliptic curve Bitcoin has the lowest IDI of all known standardized elliptic curves, and therefore 
is potentially less secure. 


5. THE MINING OF BITCOIN 

The minors of the Bitcoin protocol use special software and hardware to solve the problem of 
discrete logarithm or hash functions (Hash256). Hash rates are an important factor that miners must use to 
determine profits. Several parameters are taken into consideration during the mining, such as the difficulty, 
the rate of hashing, the cost of electricity and of course, without forgetting the complexity, the slowness and 
the cost of the equipment, the renewal of the equipment which quickly becomes obsolete and the heat 
released by the Bitcoins mining equipment tends to easily overheat, which can interrupt its operation. 

To overcome all these parameters, miners work in pools to reduce the cost of mining by pooling the 
computing power of their computers and increase their block resolution capacity. 

Mining with a processor (CPU) was the only way to mine bitcoins. Graphics cards (GPUs) 
eventually replaced CPUs because of their nature, which allowed an increase between 50x to 100x [18] in the 
computing power in using less electricity per megahash compared to a CPU. The mining world has evolved 
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into the use of Field Programmable Gate Arrays (FPGAs) as a mining platform. Although FPGAs did not 
offer a 50x to 100x increase in computing speed as the transition from CPU to GPU [19], they offered better 
energy efficiency. The world of bitcoin mining is now migrating to the Application Specific Integrated 
Circuit (ASIC). The rigidity of an ASIC allows it to offer an increase in computing power of 100x [19] while 
reducing power consumption compared to all other technologies. 

We find that the mining power is high and becomes higher, thanks to the development of new 
mining equipment. The required number of zeros at the beginning of a hash is changed twice a week to adjust 
the difficulty of creating a block and more zeros means more difficulty. The Bitcoin protocol adds these zeros 
to maintain the speed at which blocks are added to a new block every 10 minutes. The idea is to compensate 
for the mining equipment becoming more and more powerful. When the hash is harder, more calculations are 
needed to create a block and thus more effort to gain new bitcoins, which are then added to the traffic. 
Transition of Mining Technology as shown in Figure 4 and Comparison of computing power as shown in 
Figure 5. 


a 


Figure 4.Transition of Mining Technology 


| The hash rate MH/s 


CPu GPU PRGA ASK 
Figure 5.Comparison of computing power 


6. CONCLUSION 

Constant time calculations help prevent information leaks on the secret key by measuring how long 
it takes to create the signature. As a result, besides simplicity and efficiency, Secp256k1 could leak 
information for side channel attacks because the time for some calculations is not constant. 

With the new boost that Bitcoin cryptocurrency is having, the research community will turn its 
attention to two aspects, the cryptography behind the Bicoin and the possible attacks.The major problem is 
the disambiguity of the possible backdoor, except for mathematical indication, and the various choices in the 
parameters are not clear or are not completely specified. SafeCurves argues that attackers could have 
manipulated the choice of standard curves to be vulnerable to a secret attack that applies to a small fraction of 
curves. The mathematics behind Bitcoin and ECC are based on the solution of very difficult problems of 
discrete logarithmic problems, that is to say, it is a computationally complex problem. With the introduction 
and advancement of graphics processing units and cloud computations, NIST standards and other 
organizations need to be updated. 

The new era of computing and the speed of new GPUs that can affect the cryptoanalysis market 
might be a serious problem for Bitcoin ciphering, especially if it represents the new possiblecurrency. 
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